Event ID 1010 — TS Web Access Computers Security Group Configuration

  • Article

Applies To: Windows Server 2008 R2

The RemoteApp and Desktop Connection Management service uses the TS Web Access Computers security group on the RD Connection Broker server to control access to who can communicate with the service. The TS Web Access Computers group must exist and be populated with the appropriate members.

Event Details

Product: Windows Operating System
ID: 1010
Source: Microsoft-Windows-RemoteApp and Desktop Connection Management
Version: 6.1
Symbolic Name: TSCPUBSVR_WMI_NO_ACCESS
Message: Access to the WMI interface on Remote Desktop Session Host server %2 was denied. Add the Remote App and Desktop Management computer to the TS Web Access Computers security group on %2.

Error Code: %1

Resolve

Check WMI and DCOM permissions

To resolve this issue, do one of the following:

  • Add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server.
  • Modify the DCOM permissions on the RD Session Host server.
  • Modify the Windows Management Instrumentation (WMI) security settings on the RD Session Host server.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

Add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server

You can modify the membership of the TS Web Access Computers group by using Server Manager.

To add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server:

  1. On the RD Session Host server, open Server Manager. To open Server Manager, click Start, point to Administrative Tools, and then click Server Manager.
  2. Expand Configuration, expand Local Users and Groups, and then click Groups.
  3. Right-click TS Web Access Computers, click Add to Group, and then click Add.
  4. Click Object Types, select the Computers check box, and then click OK.
  5. In the Enter the object names to select box, type the name of the RD Connection Broker server, and then click OK.
  6. Click OK to close the TS Web Access Computers dialog box.

Modify the DCOM permissions on the RD Session Host server

You can modify the DCOM permissions on the RD Session Host server by using the Component Services console.

To modify the DCOM permissions on the RD Session Host server:

  1. On the RD Session Host server, open the Component Services console. To open the Component Services console, click Start, point to Administrative Tools, and then click Component Services.
  2. Expand Component Services, right-click My Computer, and then click Properties.
  3. On the COM Security tab, under Access Permissions, click Edit Limits, and then click Add.
  4. Click Object Types, select the Computers check box, and then click OK.
  5. In the Enter the object names to select box, type TS Web Access Computers and then click OK.
  6. In the Allow column, select the Remote Access check box, and then click OK.
  7. Under Launch and Activation Permissions, click Edit Limits, and then click Add.
  8. Click Object Types, select the Computers check box, and then click OK.
  9. In the Enter the object names to select box, type TS Web Access Computers and then click OK.
  10. In the Allow column, select the Remote Launch, Local Activation, and Remote Activation check boxes, and then click OK.
  11. Click OK to close the My Computer dialog box.

Modify the WMI settings on the RD Session Host server

You must modify the WMI settings by using the WmiMgmt console, and allow WMI calls through the Windows Firewall on the RD Session Host server.

To modify the WMI settings on the RD Session Host server:

  1. On the RD Session Host server, click Start, and then click Run.
  2. Type wmimgmt.msc and then click OK.
  3. Right-click WMI Control, and then click Properties.
  4. On the Security tab, navigate to Root\CIMV2\TerminalServices.
  5. Click Security, and then click Add.
  6. Click Object Types, select the Computers check box, and then click OK.
  7. In the Enter the object names to select box, type TS Web Access Computers and then click OK.
  8. In the Allow column, select the Execute Methods, Enable Account, and Remote Enable check boxes, and then click OK.
  9. Close OK to close the WMI Control dialog box.
  10. Close the wmimgmt console.

You can allow WMI calls through the Windows Firewall by using the Windows Firewall console.

To allow WMI calls through the Windows Firewall:

  1. On the RD Session Host server, open the Windows Firewall console. To open the Windows Firewall console, click Start, click Control Panel, and then under the System and Security heading, click Check firewall status.
  2. Click Allow a program or feature through Windows Firewall.
  3. Select the check box next to Windows Management Instrumentation (WMI), and then click OK.
  4. Close the Windows Firewall console.

Verify

To verify that the TS Web Access Computers security group exists and is populated correctly, do the following:

  • Verify that the RemoteApp and Desktop Connection Management service is started.
  • Log on to the RD Web Access server that is configured to use the RD Connection Broker server.

Verify that the RemoteApp and Desktop Connection Management service is started

The RemoteApp and Desktop Connection Management service is used to communicate with the RD Session Host and RD Virtualization Host servers on your network.

To verify that the RemoteApp and Desktop Connection Management service is started:

  1. On the RD Connection Broker server, open the Services console. To open the Services console, click Start, point to Administrative Tools, and then click Services.
  2. Locate the service named RemoteApp and Desktop Connection Management.
  3. Verify that the Status column for this service displays Started.
  4. After you have verified that the RemoteApp and Desktop Connection Management service is started, log on to the RD Web Access server as outlined in the section "Log on to the RD Web Access server that is configured to use the RD Connection Broker server."

Log on to the RD Web Access server that is configured to use the RD Connection Broker server

The RD Web Access server that is configured to use the RD Connection Broker server must be available to communicate with the RD Connection Broker server.

To log on to the RD Web Access server that is configured to use the RD Connection Broker server:

  1. On the RD Web Access server, open Remote Desktop Web Access Configuration. To open Remote Desktop Web Access Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Web Access Configuration.
  2. In the Domain\user name box, type a valid domain and user account name.
  3. In the Password box, type the password for the user account.
  4. Verify that you can successfully log on to the RD Web Access server by using Remote Desktop Web Access Configuration.

TS Web Access Computers Security Group Configuration

Remote Desktop Services